Virus Database

Geek.450

Description Geek.450

It's a very dangerous memory resident parasitic virus. On execution it copies itself into the Interrupt Vector Table and hooks INT 21h. Then it hits COM- and EXE-files that are executed. On the 29th of every month it erases the disk sectors with a random selected number. It contains the internal text strings: "v07a", "GEEK", "dex".

Check other viruses! Be aware! Use Antiviral Software

Barrotes family

Description Barrotes family

These are dangerous memory resident parasitic viruses. While executing they infect C:COMMAND.COM file. Then they hook INT 21h, stay memory resident and infect the COM and EXE files that are executed. They contain the internal text string "c:command.com". On January, 5th they erase MBR sector, hook INT 1Ch, display several vertical lines and the message:
Virus BARROTES por OSoft

"Barrotes.849" infects COM files only.
"Barrotes.1310.d" does not corrupt MBR. On installation it uses i386 inctruction. It displays the message: "Virus MIKELON por MSoft".
"Barrotes.1461" on March 3rd corrupts disk sectors and displays:
This is virus RETRETE!
Don't attempt to recover your disk yourself!

"Barrotes.1463" tryes to manifest itself with the video effect, but fails. It contains the encrypted text:
ViRUS de G.D.R. (c)PutoSOŸT, NO HAY NADA COMO G.D.R. ¿¿ VERDAD ?? ;-)

"Barrotes.1874" plays a tune.
Barrotes.Tecla.1303
It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. When installing it infects C:COMMAND.COM file. On September, 23th it also hooks INT 16h and changes the scancodes of keys that are entered. This virus contains the text strings:
C:COMMAND.COM
Sta Tecla (MAD1)
ST

Bash.3241

Description Bash.3241

These are dangerous memory resident polymorphic parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses also affect ARJ archives and insert an infected dropper file into them. The viruses use many anti-debugging tricks, which are buggy, and often halt the system because of that.
The viruses perform several actions directed to disable anti-viruses. First of all, while installing memory resident, they look for TBAV anti-virus driver in the memory, and disable it. They also looks for anti-virus data files, and delete them:
ANTI-VIR.DAT CRC.SVS MSAV.CHK BOOT.MS
ANTIVIR.DAT CRC_.SVS SMARTCHK.CPS BOOT.NTZ
ANYCHECK.VAL FILES.VVL TBUTIL.DAT BOOT.TAV
AVP.CRC FINGERP.VVF ZZ##.IM IV.INI
CHKLIST.CPS IM.PRM _ADINF.INI PART.NTZ
CHKLIST.MS IVB.INI AV.CRC VIRSORT.DAT
CHKLIST.TAV IVB.NTZ BOOT.CPS TBUTIL.DAT

The viruses also patch the AVP 2.x package, if it is installed. They creates the BIZATCH.AVB database in the AVP directory, and register it in the AVP.SET file. See "Anti-AVP" for more details.
From September 17th till October the viruses attampt to erase disk sectors and displays a picture, but fails because of a bug. The picture looks like follows:
all. NO! ... ... MNO! ...
..... MNO!! ...................... MNNOO! ...
..... MMNO! ......................... MNNOO!! .
.... MNOONNOO! MMMMMMMMMMPPPOII! MNNO!!!! .
... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! ....
...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ...
........ MMMMMMMMMMMMPPPPPOOOOOOII!! .....
........ MMMMMOOOOOOPPPPPPPPOOOOMII! ...
....... MMMMM.. OPPMMP .,OMI! ....
...... MMMM:: o.,OPMP,.o ::I!! ...
.... NNM:::.,,OOPM!P,.::::!! ....
.. MMNNNNNOOOOPMO!!IIPPO!!O! ..... ,
... MMMMMNNNNOO:!!:!!IPPPPOO! .... ***** ================-
.. MMMMMNNOOMMNNIIIPPPOO!! ...... AuRoDrEpH.....
...... MMMONNMMNNNIIIOO!.......... The Drow
....... MN MOMMMNNNIIIIIO! OO .......... Was Back !!!
......... MNO! IiiiiiiiiiiiI OOOO ...........
...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........
.... MNNNNNO! ...OOOOOOOOOOO . MMNNON!........
...... MNNNNO! .. PPPPPPPPP .. MMNON!........
...... OO! ................. ON! .......

The viruses also deletes disk files. In the root directories of all available logical drives they delete the "?????x??.*" files, where "x" is drive's letter. They also look for the SYSTEMIOSUBSYSHSFLOP.PDR file in the Windows directory, and delete it.
The viruses contain the text strings:
CARO: Please label this creation Hare.Little_Brother :-) or if you
want BSHME.Buggy.7xxx - This version is for educational purpose only!
Greetx to all virus writers! Still buggy but it works...
-=[ 1996 ]=-
-=[ U$A ]=-
-=[ BSHME ]=-

Home